13.
Permission Protection
• Exported components should be limited with
permissions
• Only available to apps with the same
signature
• If you really want to offer a component for
public use
• Great care is required in the implementation

15.
Task Manager Snooping
• Remove your app from the recent app list
• Put this code in OnCreate() to show a blank
screen in the list
getWindow().addFlags(WindowManager.LayoutParams
.FLAG_SECURE);
• Set this attribute in an activity to remove it
entirely from the list
intent.addFlags(Intent.FLAG_ACTIVITY_EXCLUDE_
FROM_RECENTS);

16.
Tapjacking
• Prevent touches from being sent through
elements with this attribute:
android:filterTouchesWhenObscured="true"
• Or by using this method:
view.setFilterTouchesWhenObscured(true);

17.
Dictionary
• Disable additions to the dictionary to keep
passwords and other secrets out
• Add this attribute to an EditText box:
android:imputType="textVisiblePassword"

21.
Browsable Activities
• Can be used directly from a web browser
• High-value targets for attackers
• Avoid using BROWSABLE
• If you use it, consider all possible intents that
could cause actions in your app

25.
Directory Traversal
• The getCanonicalPath() method removes ..
characters and provides the absolute path to a
file
• The code on the next page uses this to limit
paths to the /files/ subdirectory of the app's
private data directory

53.
Protection Level
Downgrade
• Your app can check to make sure the
protection levels are intact at each entry point

54.
Protecting Non-Exported
Components
• Attacker with root permissions can interact
with them
• You can add a request token to prevent that
• Randomly generated
• Stored in a static variable in memory
• Intents must have this token to run